User Certificate - Cannot find the certificate and private key for decryption error

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
FootShopAB
OpenVpn Newbie
Posts: 4
Joined: Fri Mar 19, 2021 11:06 am

User Certificate - Cannot find the certificate and private key for decryption error

Post by FootShopAB » Fri Mar 26, 2021 2:23 pm

We're attempting to create a new VPN instance on PFSense using user & computer certificates issued by our ADCA.

The certs are deployed via GPO & are located in the respective certificate stores (with the distinguished name, email & principal name from AD for user & computer name for computer as the Subject respectively) & OpenVPN 2.5.1 is deployed with both Interactive & Service modes enabled.

Here is our .ovpn file:

client
dev tun
persist-tun
persist-key
data-ciphers AES-128-GCM
data-ciphers-fallback AES-128-GCM
auth SHA256
tls-client
client
resolv-retry infinite
remote server.name 443 tcp4
setenv opt block-outside-dns
verify-x509-name "server.name" name
remote-cert-tls server
compress

<ca>
-----BEGIN CERTIFICATE-----
x
-----END CERTIFICATE-----
</ca>

cryptoapicert "SUBJ:"

key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
x
-----END OpenVPN Static key V1-----
</tls-auth>


If the following .ovpn file is placed in config-auto, it runs fine under the OpenVPNService Service, using the Computer certificate. The computer cert appears in PFSense's VPN Connection List & resources can be accessed fine.

If the same .ovpn is placed in the config folder (or the C:\Users\USERNAME\OpenVPN\config folder) & we attempt to make OpenVPN use the certificate under the Current User Personal Certificate store, it fails with the following error:

Code: Select all

2021-03-26 11:39:55 OpenSSL: error:C5066064:microsoft cryptoapi:CryptAcquireCertificatePrivateKey:Cannot find the certificate and private key for decryption.
2021-03-26 11:39:55 Cannot load certificate "SUBJ:" from Microsoft Certificate Store
Event Viewer not showing anything when the connection fails.
Last edited by FootShopAB on Fri Mar 26, 2021 3:56 pm, edited 1 time in total.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8888
Joined: Fri Jun 03, 2016 1:17 pm

Re: User Certificate - Cannot find the certificate and private key for decryption error

Post by TinCanTech » Fri Mar 26, 2021 2:44 pm

FootShopAB wrote:
Fri Mar 26, 2021 2:23 pm
OpenSSL: error:C5066064:microsoft cryptoapi:CryptAcquireCertificatePrivateKey:Cannot find the certificate and private key for decryption.
looks like the key is missing..

FootShopAB
OpenVpn Newbie
Posts: 4
Joined: Fri Mar 19, 2021 11:06 am

Re: User Certificate - Cannot find the certificate and private key for decryption error

Post by FootShopAB » Fri Mar 26, 2021 4:05 pm

Our ADCA, which generates the certificates, is providing the certificate verification. There is no key in the .ovpn or in a separate file.

The Machine cert behaves as expected, but the User cert doesn't.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8888
Joined: Fri Jun 03, 2016 1:17 pm

Re: User Certificate - Cannot find the certificate and private key for decryption error

Post by TinCanTech » Fri Mar 26, 2021 4:38 pm

FootShopAB wrote:
Fri Mar 26, 2021 2:23 pm
2021-03-26 11:39:55 OpenSSL: error:C5066064:microsoft cryptoapi:CryptAcquireCertificatePrivateKey:Cannot find the certificate and private key for decryption.
2021-03-26 11:39:55 Cannot load certificate "SUBJ:" from Microsoft Certificate Store
FootShopAB wrote:
Fri Mar 26, 2021 4:05 pm
The Machine cert behaves as expected, but the User cert doesn't.
Because it is not there.

See --cryptoapicert in the manual.

300000
OpenVPN Super User
Posts: 497
Joined: Tue May 01, 2012 9:30 pm

Re: User Certificate - Cannot find the certificate and private key for decryption error

Post by 300000 » Sat Mar 27, 2021 11:56 am

You need to export certificate from computer store and import to my certificate store so when it run Openvpn can find certificate on user personal store.At the moment the ADCA only push down to certificate to computer certificate store only . you can find the way to use gpedit.msc and create a policy and push that certificate down so it can work for you.

FootShopAB
OpenVpn Newbie
Posts: 4
Joined: Fri Mar 19, 2021 11:06 am

Re: User Certificate - Cannot find the certificate and private key for decryption error

Post by FootShopAB » Mon Mar 29, 2021 3:11 pm

300000 wrote:
Sat Mar 27, 2021 11:56 am
You need to export certificate from computer store and import to my certificate store so when it run Openvpn can find certificate on user personal store.At the moment the ADCA only push down to certificate to computer certificate store only . you can find the way to use gpedit.msc and create a policy and push that certificate down so it can work for you.
TinCanTech wrote:
Fri Mar 26, 2021 4:38 pm
Because it is not there.
We have a policy to push both certificates. The computer cert gets pushed at system boot and the user certificate is pushed at user login...

For example - on my laptop, I've checked in my personal store, and it's there, generated by ADCA, with all the details specified... :?

ADCA User Certificates - https://www.dropbox.com/s/r7amszgkwikfstx/1.png?dl=0
Certificate: General - https://www.dropbox.com/s/p5tbgqdgpfhn91o/2.png?dl=0
Certificate: Properties - https://www.dropbox.com/s/atelcog4vzze0xy/3.png?dl=0
Certificate: Chain - https://www.dropbox.com/s/rfhea0a65xmkyzm/4.png?dl=0

I'm informed that looking for the "SUBJ:" certificate will just match any detail from the subject line of the certificate from the user store?
TinCanTech wrote:
Fri Mar 26, 2021 4:38 pm
See --cryptoapicert in the manual.
Can you point me to the area in the manual where this is documented? I'm not finding it in the Community Resources or Wiki.

Edit - I see Dropbox was blocking the image linking. I've attached shortcuts.
Last edited by FootShopAB on Mon Mar 29, 2021 8:44 pm, edited 1 time in total.

300000
OpenVPN Super User
Posts: 497
Joined: Tue May 01, 2012 9:30 pm

Re: User Certificate - Cannot find the certificate and private key for decryption error

Post by 300000 » Mon Mar 29, 2021 5:27 pm

you need to check thumprint and write down as picture . make sure dont copy because microsoft inset a space so it not work if you copy

Image

cryptoapicert " THUMB: 42a172b0189a8d665f3bb75830e2d5c0d54aea21"

FootShopAB
OpenVpn Newbie
Posts: 4
Joined: Fri Mar 19, 2021 11:06 am

Re: User Certificate - Cannot find the certificate and private key for decryption error

Post by FootShopAB » Mon Mar 29, 2021 8:42 pm

Right, so you're suggesting that we need to manually write out the fingerprint of every cert - That's not compatible with what we're looking to do here. The idea is AD will manage and push device and user certs as they're renewed/replaced. The .ovpn is checking the against the ADCA when they are used and will allow is to revoke the cert.

This is working for the device cert. We would happily use that alone if OpenVPN GUI was able to reflect the current VPN status, but expecting users who already struggle with using laptops and the GUI in Interactive mode to restart Services if their connection stalls isn't feasible.

I guess rather than saying 'are we doing this wrong' it's more to get a diagnosis of why OpenVPN/OpenVPN GUI/OpenSSL/whatever cannot see the active user's cert. Is it unable to open the user certificate store because it's trying to open it with the wrong name? (i.e. is it using the user account name (firstname.lastname), but the subject features the principal name (i.e. firstname lastname)?)

300000
OpenVPN Super User
Posts: 497
Joined: Tue May 01, 2012 9:30 pm

Re: User Certificate - Cannot find the certificate and private key for decryption error

Post by 300000 » Mon Mar 29, 2021 9:18 pm

That is how certificate work if you want to store certificate in windows store . How do openvpn call and use certificate from windows store? If you know how certificate use in Linux simple but not secure by the mean and you want secure of windows store certificate but don't want to do anything , just install Ikev2 vpn server on windows and you can have full control and renew certificate from windows .

Ikv2 vpn server in windows can do the same as openvpn if you are all windows user base . they offer better than openvpn but you need to pay license or just simple create inline certificate in windows as you do with CA public certificate so dont need to think anything about certificate store at all.

If you store certificate in windows store you must edit all the time you when you change or renew certificate that is the fact , nothing can do automatic from openvpn for you.

Post Reply